Okta IAM Platform Cybersecurity Advisory

On March 22, 2022, the Lapsus$ threat group (aka DEV-0537), who recently gained notoriety for compromises including Microsoft, Samsung, Nvidia, and others, announced that they had compromised Identity Access Management (IAM) platform, Okta. Further, Lapsus$ claims to have gained access to client environments and sensitive information via their access to Okta. Lapsus$ representatives posted screenshots that seemed to suggest access to sensitive information, including sensitive information for Cloudflare users.

Impact

Okta initially claimed that the compromise, which occurred between 16-21 January, was limited in scope to the access of Okta support engineers. Okta indicates that while support engineers can assist users with password changes they cannot obtain those passwords, cannot create or delete users, and cannot download customer databases. Okta later indicated that 2.5% of their customers may have been impacted and had data viewed or acted upon. It isn’t clear at this point what type of data may have been seen or what type of actions may have been taken. However, Okta indicates that they have already reached out to these potentially impacted clients directly by email. Cloudflare’s investigation concluded that a compromise had not occurred within their environment Nevertheless, Cloudflare's recommendations are worth considering for organizations who use Okta as an IAM.

Recommendations

Cloudflare recommends the following actions:

1. Enable MFA for all user accounts. Passwords alone do not offer the necessary level of protection against attacks. We strongly recommend the usage of hard keys, as other methods of MFA can be vulnerable to phishing attacks.
2. Investigate and respond:
   1. Check all password and MFA changes for your Okta instances.
   2. Pay special attention to support initiated events.
   3. Make sure all password resets are valid or just assume they are all under suspicion and force a new password reset.
   4. If you find any suspicious MFA-related events, make sure only valid MFA keys are present in the user's account configuration.
3. Make sure you have other security layers to provide extra security in case one of them fails.

As an additional precaution Ingalls encourages organizations who use Okta to also consider these additional recommendations:

1. Download a copy of Okta System Logs currently available (by default, they are retained for 90 days, so they should go back to the end of December).
2. Review impossible travel logins, anomalous logins, and accounts created or changed since January 16, 2022.
3. Reset user passwords: Prioritize privileged users, service accounts, and any users whose passwords have been reset since January 16, 2022. In order to have a record of legitimate password changes, document who performed the password resets, when the resets were performed, the IP address of the user who requested the resets, and a list of users whose passwords were reset.
4. Audit MFA enrollment status to verify that enforcement hasn't been removed from accounts which should have it enabled.
5. Rotate API tokens.
6. Disable Okta Support Access until it has been confirmed that there is no further compromise or unless it's required.
7. Disable Directory Debugger Access until it has been confirmed that there is no further compromise or unless it's required.

Ingalls is dedicated to protecting your network and your information by providing defense-in-depth security through your Managed Detection & Response (MDR) service. As an added layer of defense, Ingalls now offers monitoring and support by a team of live Security Analysts in our Security Operations Center (SOC) 24 hours a day, every day of the year. ‘Round the clock, MDR provides extended coverage with continuous analysis, response and escalation so you can have the peace of mind that comes from knowing your network is being monitored in real-time even if your business hours have stopped. Please contact us for more information.